Overview
CVE-2025-13178 is a reported Cross-Site Scripting (XSS) vulnerability found in Bdtask/CodeCanyon SalesERP, affecting versions up to 20250728. The vulnerability resides in the /edit_profile component, specifically within the User Profile Handler. An attacker can remotely exploit this flaw by manipulating the first_name or last_name arguments. This can lead to the execution of malicious scripts within a user’s browser.
Technical Details
The vulnerability is classified as a basic Cross-Site Scripting (XSS) flaw. When a user attempts to edit their profile through the /edit_profile endpoint, the first_name and last_name fields are vulnerable to injection. An attacker can insert malicious JavaScript code into these fields. When the application renders the profile page, this injected script will be executed in the victim’s browser within the context of the SalesERP web application.
The exploit is publicly available, which increases the risk of exploitation.
CVSS Analysis
- CVSS Score: 3.5
- Severity: Low
Despite the low severity score, XSS vulnerabilities can still pose a risk. The CVSS score reflects the limited scope of the potential impact and the requirements for exploitation. However, a successful XSS attack can lead to session hijacking, defacement, or redirection to malicious websites. It’s important to address even low severity vulnerabilities to maintain a robust security posture.
Possible Impact
While the CVSS score is low, the impact of a successful XSS exploit can be significant. An attacker could potentially:
- Steal a user’s session cookies, gaining unauthorized access to their account.
- Deface the web page, displaying misleading or malicious content.
- Redirect users to phishing sites or other malicious websites.
- Potentially escalate privileges within the SalesERP application if combined with other vulnerabilities.
Mitigation or Patch Steps
Unfortunately, based on the provided information, the vendor did not respond to the disclosure. Therefore, immediate patching from the vendor is not available. Consider the following mitigation steps:
- Input Validation: Implement strict input validation on the
first_nameandlast_namefields in the/edit_profileendpoint. Sanitize user input by encoding special characters and removing potentially malicious code. - Output Encoding: Ensure proper output encoding when displaying user-provided data, especially in the user profile section. Use appropriate encoding functions to prevent the browser from interpreting injected scripts.
- Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to filter out malicious requests and block potential XSS attacks. Configure the WAF with rules to detect and prevent XSS attempts targeting the SalesERP application.
- Content Security Policy (CSP): Implement a Content Security Policy (CSP) to control the resources that the browser is allowed to load. This can help prevent the execution of unauthorized scripts.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the SalesERP application.
